I’m not one to give away bug bounty target companies, so once again due to the agreements we enter into with these companies, this company will hence forth be referred to as <redacted>
Also, let me preface this with, this is not an insane hack. There’s no 0-day being dropped here, you’re not going to find this on the cover of 2600 Magazine, and you certainly won’t see it center stage at this week’s DEFCON 30. That all being said, this is certainly not the first time I’ve run into this and it’s astounding to me it still is a thing.
That’s right, I’m talking about Default SSH credentials on a production public facing server.
Defining the Attack Surface
So, unlike the many boot to root machines I blog about here, defining the attack surface for a bug bounty is EXTRAORDINARILY different. It’s much more meticulous and MUCH more important.
From what I’ve seen, most people that take part in bug bounties go straight up the middle. They like to go straight to redacted.com/login and start brute forcing the admin@redacted.com account. This is not only a waste of electricity but it’s a waste of your potential as a human on planet earth.
Now I’m not claiming to be el1t3 h@x0r #1 over here, but you do need to be a little more thoughtful than just attacking likely the most hardened surface the target has.
Bug Bounty Scope
To start my bug bounties I first look at the targets scope.
Specifically for this target though, it was extra important to look at what was _OUT OF SCOPE_
Attacking something out of scope is not only embarrassing it could put you in some legal trouble. When I do anything hacking related, regardless of if it’s bug bounties, boot to roots, ctf’s whatever, I always take notes in OneNote. Pick your flavor of note taking tool but it’s important to keep things well organized so you don’t forget important details. It also saves you from running the same commands a million times.
Our target in this case actually only had one domain and all of the sub domains under it. That was enough for me to go after.
Of course they didn’t tell us the subdomains though 🙂 you need to find them yourself.
Sub Domains
Enter, sublist3r easily my favorite subdomain brute forcing tool. This tool reaches out to Google, Bing, Bidu and all of the other search indexers and scrapes them for subdomains on targets that you pass in.
Using this tool on this target I uncovered OVER 300 SUBDOMAINS
That’s a pretty good start
Filtering Live Targets
Now that we have a massive list of subdomains, we now need to see which ones are actually active and which are dead. There’s a series of ways you can do this. I like to keep things extremely simple so I wrote this tool called domain checker that just checks if a machine responds to a ping request or not the returns the ones that do.
Doing this filtered out over half of my subdomains but that still means I went from a single top level domain to about 140 unique subdomain targets that are responding to me. On to the laborious part.
Finding the Vulnerable Service
Port Scanning
This part takes the longest but if you just let your scans run, you can uncover hidden services galore.
When there’s a massive number of targets like this, I like to use a tool called masscan to do my port scanning. With masscan it took me about 10 hours to port scan all of these machines. I also like to have it output into a grepable format using the -oG output flag. Doing this makes the next stages easier.
Banner Grabbing
I don’t usually begin with banner grabbing, but this article is about the default creds service I found, not a comprehensive series of my bug bounty steps. So, suffice to say we’re skipping ahead a little here.
I decided that there were a lot of services I uncovered other than web servers and I wanted to see what they were running. So, when I got to the SSH servers, I did a banner grab of all of them and I wholehearted expected to see something like SSH-2.0-OpenSSH_8.4p1 or something to that affect.
So, you’ll understand my shock when I saw a banner that said it was running a vyos SSH server. I honestly have no idea if that’s a vulnerable service or not. However, I do have the world’s knowledge at my fingertips.
Getting a SSH Shell
I hopped on over to our friend google and searched for vyos ssh default credentials
Sure enough, vyos:vyos was default credentials that shipped with that product.
Now, I did have a solid moment when I told myself
Self, this is a massive company. They’ve been around for DECADES. They have large IT departments and teams of people dedicated to the safety and security of all of their customers. There’s literally zero chance that they have an SSH server running on a production machine that has default credentials. Put down the bong, pickup a book and learn to hack for realz.
Once I was done being self-defeating though I opened up bash and ssh’d in with default creds on the very first server I attempted it on lol
Summary
It doesn’t take mad skills to win at some of these bounties. This company was really nice about it. They were quick and they closed the issue without any problems.
I think the real moral of the story here is that 99% of this was all in the recon phase. There was no brute forcing here. No renting 50 gpu’s to break hashes. Just some good old-fashioned digging and research.
